Facebook CEO Mark Zuckerberg testifies at a Senate committee hearing in the wake of the Cambridge Analytica scandal. Photo: AFP

Facebook’s announcement that it is investing more than US$1 billion in building a new data centre in Singapore underlines how multinational technology firms are re-examining their operations as they face regulatory headwinds in Asian countries increasingly concerned with protecting their own data and data flows.

The data centre, projected to start operations in 2022, is a testament to Facebook’s long-term commitment to Southeast Asia, home to 360 million users of the website. In choosing Singapore to host its first data centre in Asia, Facebook has confirmed the city state’s status as the region’s data storage hub, a status that owes much to its strong data and intellectual property protection laws.

Another factor that is likely to have influenced Facebook’s decision is Singapore’s cross-border data transfer policy, which allows data to be sent abroad if the recipient country has strong data protection laws comparable to those of Singapore. This might help Facebook navigate future data privacy laws in several Asian jurisdictions, which are currently mulling over their respective versions of the General Data Protection Regulation (GDPR) that has been introduced by the European Union.

DATA PRIVACY RULES

China, South Korea, India, Indonesia, Thailand, and Vietnam are among the Asian countries that have either recently passed or proposed regulations on data protection. Unlike Singapore, however, data privacy rules in these countries tend to be unbalanced. While they require internet companies to store citizens’ data on local servers, an act known as data localisation, these countries will also restrict cross-border data transfers, an essential practice in an increasingly borderless digital world.

Data localisation, which allows the authorities to have easy access to user data in an investigation, could also raise the cost of business for multinational internet companies and local start-ups that rely on overseas cloud servers provided by the likes of Amazon and Google, critics say. In Asia, only Singapore and Japan are considered to have robust cybersecurity and data privacy laws, while also catering to cross-border transfers.

“Cross-border data flow is essential for the development of the digital economy, which countries globally are seeing as the engine of growth for GDP, trade, job creation, innovation and productivity,” says Jeff Paine, managing director of the Asia Internet Coalition, an industry group whose members include Facebook, Amazon, Google, and Apple. “Governments should realise that not only do data localisation policies restrict opportunities for businesses to grow domestically and globally, but they, in fact, increase vulnerabilities and don’t address the core concern of cybersecurity.”

The EU’s passage in May of the GDPR, a law that requires internet companies to obtain consent from European consumers before using their information, has served as a boost for Asian states to implement their own legal frameworks on data privacy.

However, Paine notes “there is a misperception that locally stored data is the answer to more security”.

“In reality, ring-fencing data to a locality actually narrows the point of attack and creates more security vulnerabilities,” he says. “Cloud-based storage ensures that data is distributed at different points of the network, across multiple geographies, to minimise the risks from a single point of failure or breach.”

NEW CYBERSECURITY MEASURES

In India, the world’s fastest-growing market for new internet users, the government is in the midst of seeking public feedback on the draft Personal Data Protection (PDP) bill that was unveiled in July. The bill, taking its cue from the EU’s GDPR, proposes new cybersecurity measures such as data localisation, users’ explicit consent on personal data usage, right to be forgotten, and cross-border data transfers. A panel of tech experts is also planning to recommend to the government the expansion of the data localisation rule to cloud computing, which would be a further blow for cloud operators such as Amazon, IBM, and Microsoft. Failure to comply with these requirements will result in fines of up to US$2 million or 4 per cent of the company’s global revenue.

As it stands now, the bill’s definition of sensitive data is deemed too broad, which would affect companies’ ability to transfer data out of the country, according to analysts.

“The definition of sensitive personal data [in the bill] could be reviewed. For example, financial data, official identifiers, passwords are important but by themselves and in isolation are not sensitive, even in aggregate,” says Ashish Aggarwal, senior director for public policy at the National Association of Software and Services Companies, an industry lobby based in Delhi. “They may require a higher level of consent for storage and processing but they may not require stricter control over their cross-border flow.”

While the PDP bill is unlikely to be passed this year, the impact of data localisation rules could be seen as early as next month, as digital payment companies operating in India are required by the Reserve Bank of India to store payments data within the country by October 15. This rule also applies to foreign payment services firms such as MasterCard, Visa, and PayPal. Already, Apple is said to have ditched its plans to introduce Apple Pay in the country due to regulatory uncertainty, following the steps taken by Amazon and WhatsApp, according to The Economic Times.

“In India, [data localisation] will undermine firm productivity and competitiveness, and ultimately the economy’s productivity, by forcing firms to spend more than necessary on IT services,” says Nigel Cory, associate director of trade policy at Washington-based think tank Information Technology and Innovation Foundation. “This cost is not only borne by those firms directly impacted by the data localisation requirements, such as financial payment processors, but all IT service users, as it forces everyone to pay more for these services.”

NEW RULES DO OFFER BENEFITS

In Southeast Asia, Vietnam, Indonesia, and Thailand have introduced data localisation and content censorship measures that critics say could be used to crack down on political dissent. In these countries, internet service providers are required to have a domestic presence to enable the authorities to check on illegal content and subject the companies to local tax laws. South Korea has adopted a similar stance, with its lawmakers this week proposing four bills that mandate foreign internet companies to set up physical servers within Korea.

To be sure, not all parties are opposed to the data localisation rule. Paytm, India’s largest digital payment company, last month said it had teamed up with its investor Alibaba, which owns South China Morning Post, to set up cloud servers in India to tap into the country’s growing data centre demands. Another payment company, PhonePe, backed by retail behemoth Walmart, wrote a blog post this week saying that it fully supports the data localisation rule set by the central bank, although it asked for exceptions to be made for MasterCard, Visa, and other global payment networks by allowing them to do data mirroring, a practice to copy exact data in real-time from one server to another.

Indian tech start-ups argue that having data stored within the country is also beneficial to companies as proximity with cloud servers would prevent cloud service latency, or a delay between client request and server response.

“Our data centre is based in Mumbai. Shifting data from storage in Singapore or US to India is not that of much of a hassle,” says Sachin Jaiswal, co-founder of Bangalore-based artificial intelligence start-up Niki.ai. “It is also better [to store data in Indian servers] as the response time is much, much faster.”

Jaiswal points out that data localisation is a non-issue for many Indian tech start-ups that cater to clients abroad as the rule is applied only to those that serve Indian customers. Companies such as Amazon and Google also provide local hostings in India – both companies run data centre facilities in Mumbai – which offer cheaper hosting than their servers in the US, he adds.

“Broadly speaking, [data localisation] is beneficial to Indian companies as it creates a more level-playing field. Even for some big [foreign] companies, this is just a small hindrance, not a big cost,” Jaiswal says. “India has the resources [to set up a top-tier data centre], all it requires is just a little bit more of an effort from these brands.” ■